Protecting Europe against large-scale cyber-attacks - European Union Committee Contents


Memorandum by Symantec

  Today the very foundations of the UK and Europe's modern society and economic stability are built on electronic communication infrastructures that span across national, European and international borders and the data that is shared, processed and stored within these networks. The move away from closed, nationally protected computer networks to a more borderless, open, accessible, Internet based, networked environment means that safeguarding electronic networks and systems from possible attack or disruption is a crucial component of nations critical infrastructure protection. This relatively recent shift towards greater dependency and reliance on internet based systems and networks across Europe means a change in the approach to critical infrastructure protection that recognises that cyber related risks and attacks could now impact and affect more than just one nation.

It is particularly important that such risks are identified quickly and addressed effectively particularly given the significant increase in criminal use of the Internet for purposes such as identity theft and extortion. For example targeted attacks on systems have been seen that are designed to prevent their legitimate use such as "denial of service" attacks. These and related crimes are committed through the infection of computer systems, used by citizens and organisations, with malicious computer code, viruses, worms and Trojan horses. Such infections generally occur as a result of poor security practices on the part of system owners and users and enable the spread of spam, phishing and the establishment of networks of compromised systems that are under criminal control called "botnets".

  This current online threat reality and the pervasive nature of internet based technology within European society was recognised by the European Commission in its publication of the recent Communication on "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience". Symantec supports the approach taken by the EU Commission Communication on the steps needed to protect the resilience and robustness of EU information and communications networks. Given the current online threat environment only by industry stakeholders and government working together can the security of the critical infrastructure within each Member State, across Europe and globally be protected. The suggestion of holding common exercises and collaboration with the private sector in the area of information exchange and early warning is seen as a key element of the approach. It is felt that the EU's approach could also provide an opportunity to consider and address possible legislative obstacles or challenges in this area and ensure an appropriate legal framework is in place. Furthermore it is an opportunity to recognise private sector activities and efforts underway and highlight examples of best practice in addressing the need for greater co-operation and collaboration in this area.

  Clearly there is a role for Member States to address possible cyber related risks to national systems as well as a role of the European Union to consider the protection of European networks and systems. However, given that it is understood that up to 90% of critical infrastructure assets in some countries are privately owned and operated, public and private sector collaboration is a key factor to critical infrastructure protection issues. Addressing Europe's cyber security challenges is not something that can be solved or addressed by one Member State, European institution, law enforcement body, business or individual acting alone. Protecting Europe from cyber threats and attacks requires a co-operative effort and an understanding of the current online threat environment.

CURRENT ONLINE THREAT ENVIRONMENT

  For the last seven years Symantec has produced its Internet Security Threat Report which provides an overview and analysis of worldwide Internet threat activity and a review of known vulnerabilities and trends in activities such as phishing, botnets and spam. The report is based on the most comprehensive source of internet threat data which is gathered from Symantec's Global Intelligence Network. This network is based on 240,000 sensors in over 200 countries that monitor attack activities through the deployment of Symantec's products and services which actively protect businesses and consumers online.

  According to the latest Internet Security Threat report, published in April 2009, cyber threats continue to be aimed at exploiting end users for profit with attackers refining their online activities and abilities to conduct online crime such as fraud and large scale attacks. The continued growth of the internet and the number of people increasingly using it for an array of activities presents cyber attackers with an ever growing range of targets and also various means to launch malicious attacks. Web based attacks are now seen as the main vehicle for malicious activity over the internet; users visit legitimate websites that have been compromised by attacks in order to spread malicious viruses or infect machines in order to create botnets that can be used for other online criminal activity. That does not mean to say that risks from more traditionally understood cyber threats have decreased. In 2008 Symantec detected 55,389 phishing website hosts which is an increase of 66% over 2007 when 33,428 phishing hosts were detected. Also there was seen a 192% increase in spam detected across the internet, from 199.6 billion messages in 2007 to 349.6 billion in 2008.

  Overall cyber attacks are becoming increasingly complex, sophisticated and organised. Information is now the key target for cyber criminals. No longer are online attackers motivated by notoriety but by economic gain. Individuals and businesses are being attacked to gain access to information which has become a valuable online commodity that can be used to conduct phishing, spam attacks and online identity theft. Cyber attacks are also becoming more organised and running operations as a business. For example cyber attacks are known to have contingency plans in place in case to relocate their activities around the world if their activities are detected.

Threat analysis

    How vulnerable is the Internet to wide-spread technical failures? To what extent is it likely to be affected by natural disasters?

  From the perspective of the computer security industry, and on the basis of experience to date, it is suggested that the Internet has been resilient. However it is suggested that the view of others, such as the ISP community that are particularly involved in the administration of Internet infrastructures, are sought on this question.

  Overall however the Internet is simply a series of interconnected computer networks, systems and essentially large servers based all around the world. Therefore as with any electronic or computerised system these computers are reliant on electrical power to function. Therefore it may be possible that a natural disaster that impacts or disrupts power within a country or region could potentially affect the ability of the Internet users to gain access to online networks or systems. Physically, therefore the internet is susceptible to regional interruption such as when cables are broken. In such an incident, although routing information may be updated to route internet traffic around the broken connection, entire countries could be left unable to access parts of the internet for many hours or days. Such outages have occurred when an undersea cable providing network connectivity to the Middle East was damaged.

  A possible technical threat was seen in 2008 with the publication of a fundamental flaw in the DNS system. This incident underlined that many of the protocols necessary for the internet to operate may possess weaknesses that could be maliciously exploited. Internet protocols are implemented by a relatively small set of programs, BIND for DNS, Apache for http for example. It can be suggested that even if an underlying protocol is secure, there may still be weaknesses discovered in a program that implements the protocol for the vast majority of users on the internet. These weaknesses may be open to malicious exploitation which could cause harm to a large number of internet users. However in such an incident and despite the impact on some users, it is suggested the internet overall could continue to work correctly as internet traffic would simply be routed away from the weakness until the incident is resolved.

  Clearly though the risks and threats to the security, integrity and resilience of the Internet have certainly increased over recent years. This together with the shift towards greater interoperability between internet based networks and systems means that a targeted cyber attack has the potential to have a cascading effect and impact on other connected systems in the event of a major technical fault or network compromise incident to one system or network such as in a denial of service attack. It is therefore vital that adequate levels of protection are in place that can identify and minimise possible single points of failure and that rapid recovery plans are introduced to pre-empt any large scale incidents.

    Is the Internet industry doing enough to ensure the resilience and stability of the Internet, or is regulatory intervention unavoidable? What are the cost implications if the industry volunteers, or is forced, to do more?

  It is suggested that ensuring the ongoing resilience and stability of the Internet is a responsibility that must be shared by all those using the Internet, whether they be businesses, governments or individuals. However Symantec recognise the responsibility we have to develop and implement tools and solutions that can protect our customers and as a result play a role in ensuring the overall security and robustness of the internet.

  Overall Symantec believes that a modern approach to internet security must be balanced between protection and preparedness to address incidents. As a result security tools and solutions are increasingly being designed and incorporated at the beginning of the process of building critical online systems. In addition early warning capabilities, incident response services and real time online threat intelligence capabilities have been developed by industry to enable organisations to address cyber incidents quickly and effectively. Having technology in place that is part of an organisations every day operations and provides a multi-layered defence against possible online threats is seen by Symantec as vital to protecting or limiting the possible impact on systems may be affected by any cyber related attack.

  Symantec believe that regulation can have a role to play in ensuring an effective regulatory and legal framework is in place that enables the information society to flourish. The recent steps taken by the EU review of the Telecoms Regulatory Framework to clarify that the computer security industry can process traffic data for network security purposes has particularly been welcomed by Symantec. However, just as the online threat environment continues to evolve at an increasingly fast pace so too does the Internet and information technology. Therefore given the rate at which the Internet is maturing it is important that legislators do not try to intervene to address a specific threat or risk that industry may be better placed to address by the development of a tool or solution that could be applied more quickly than a regulatory measures. Although there may still be areas where increased international harmonisation of laws may be beneficial to assist cross border co-operation, prosecutions and mutual legal assistance in areas such as online crime. Overall however it is suggested that legislators do not try to run behind, or even ahead of, technological changes but rather support industry efforts to address Internet threats.

    How concerned should be we be about criminally operated "botnets"? What evidence do we have that shows the scale of this problem, and the extent to which it can be tackled at the European level?

  Bots[1] are programs that are covertly installed on a targeted system that allow unauthorized users to remotely control the computer for a wide variety of purposes. Computers that form part of a botnet are under the control of the botnet operator and can be commanded to execute any function the botnet operator wishes, or any function dictated by whomever pays the botnet operator for access to the botnet. Attackers often coordinate large groups of bot-controlled systems, or bot networks, to scan for vulnerable systems and use them to increase the speed and breadth of their attacks. In 2008 Symantec observed an average of 75,158 active bot-infected computers per day which is a 31% increase from the previous reporting period. Bot networks were also responsible for the distribution of approximately 90% of all spam email.

  It is the fact that attackers can use botnets to perform a variety of tasks, such as enabling a Denial of Service attack or distributing spyware or to harvest confidential information from within an organisation's network, that makes botnets such a threat. Also botnets are inexpensive and unfortunately relatively easy to create and manage. In 2008 Symantec saw botnets being sold online for as little as $0.04 per bot.

  Bot networks create unique problems for organisations because they can be remotely upgraded with new exploits very quickly, which can potentially allow attackers to outpace an organisation's security efforts to patch vulnerable systems. Also Symantec is seeing a move from botnet owners moving from traditional IRC based botnets, which are easier to detect, track and therefore block, towards botnets based on HTTP traffic. This essentially means that a botnet controller is communicating to the computers under his control using HTTP communications which can be hidden within other legitimate internet web traffic. It is therefore increasingly harder to distinguish bad messages to botnets from legitimate HTTP traffic. This shift in the communication channel by which botnets are being controlled means it will become increasingly difficult to identify and locate botnet controllers.

  So far the major botnets that have been observed have been used primarily for the distribution of spam. We have yet to see the impact of a major botnet comprising in excess of 100,000 infected computers being used in a wide spread denial of service style cyber attack against a nation or region. The number of bots required to conduct a significant attack against an organisation are relatively low and the potential damage an individual bot can inflict is dependent on the bandwidth available, rather the upstream bandwidth.

  Clearly botnets are not solely a European problem and therefore this is an area where international cooperation is needed. In fact the country with the most botnet computers is China which has 13% of the worlds botnets followed by the US. The UK was ranked 9th in the list of 10 countries for botnet computers in 2008. This is in comparison with September 2005 where the UK was ranked the highest country in the world for botnet computers. It is suggested that the high concentration of botnets in the UK at this time may have been related to the roll out and take up of broadband with users going online for longer periods of time without adequate security protection, making these computers perfect targets for botnet controllers to develop a bot network.

  Given the constantly evolving online threat environment and the way in which bot networks evolve (as seen above with the change from IRC to HTTP communications) there is no simply solution, or silver bullet, to solving the problem of botnets in Europe or internationally. However the decrease in botnet computers in the UK warrants further consideration as it may suggest that there may be ways of addressing botnets. It is suggested that the decrease in botnets in the UK may be a result of users putting in place online security that is appropriate and adequate to their online activities. Therefore raising awareness and understanding of the importance of having a multi-layered defence against online threats is seen by Symantec as an important message to communicate across Europe: particularly in those newer Member States that may be taking the first steps in implementing a broadband network.

    The Commission is particularly concerned about cyber-attacks, and draws attention to events in Estonia in Spring 2007 and Georgia in August 2008. Is this concern justified?

  According to the latest Symantec Internet Security Threat Report 49% of the top 10 attacks on government and critical infrastructures are Denial of Service attacks.[2] For example eGovernment services continue to be a key target of large scale attacks against their infrastructure. It is also expected that such large scale attacks are likely to be targeted against those providing crucial societal functions across different member states. In addition in a number of cases there have been reports of massive attacks in scale but not aiming at causing disruption, but rather at collecting intelligence and stealing confidential information.[3] The perpetrators of such cyber attacks can vary ranging from criminals, to terrorists to even hostile nations.[4]

  Clearly however the events in Estonia and Georgia are real life examples of how sophisticated and targeted large scale cyber attacks can be. It is also suggested that these attacks are not the only incidents seen around the world of its kind. Given the impact that such large scale attacks can effectively have, the Commission's concern about the security and resilience of Member States critical systems and ability to address cyber attacks is justified. Particularly as it is still unclear to what extent relevant parts of EU Member states national administrators possess the technologies needed and e-skills to address cyber-attacks if they occur or address issues related to the protection of the internet.

    The events in Estonia led to a more public involvement by NATO in cyber-protection issues. Should the military be more involved in protecting the Internet?

  As stated earlier, addressing cyber security challenges is not something that can be solved or addressed by one European Member State, institution, law enforcement body, or industry acting alone. Each actor has a different role to play depending on the type, or level, of incident taking place and the appropriate level of measured response required. For example service providers, security providers, law enforcement, security services and national critical infrastructure protection authorities may be the first port of call and have clearly a role to play in dealing with an incident. At the same time however we must not forget that the cyberspace is increasingly becoming an area of military importance and an area whereby different countries have developed capabilities and even command structures to address the perceived threat. It has been seen that NATO has become increasingly active in this area from the national security and national defence standpoint. This move is recognition of the fact that by the moment the threat becomes military in nature there is a role for military involvement and appropriate response.

INTERNATIONAL RESPONSES

    The Commission believes that a pan-European approach is needed to identify and designate European Critical Infrastructures, and that national responses will be fragmented and inefficient. Is this analysis correct? Would multi-national companies be especially in favour of multi-national policies?

  Given the cross border nature and interdependence of Member State critical infrastructure systems (ranging from communications mechanisms linking citizens to water and power and other Supervisory Control and Data Acquisition (SCADA) systems[5] and in the near future pan European e-government services) Symantec believe that effectively securing Europe's critical infrastructure network means having in place a common European-wide approach and strategy. This is seen as particularly important given that many Member States are at different stages of internet development and levels of understanding regarding the interconnected nature of networks and level of risk to possible cyber-attack. A European wide approach to critical infrastructure protection would enable the development of a common, shared level of understanding and recognition of the specific critical infrastructures within Member States that need to be protected from online attacks. Also more importantly a pan-European approach is necessary to identify the interdependencies that currently exist in the critical infrastructures shared across Member States to ensure risks are identified, assessed and addressed in a way that protects these critical systems against possible attack.

  However, while cooperation at a European or international level is important, this should not be a substitute for countries take a national approach that is approach to their level of maturity, identified risk and therefore specific requirements. The recent publication of the UK's cyber security strategy was welcomed by Symantec as an important move forward in helping to co-ordinate, and maximise, efforts already well underway across government that currently seek to address cyber security related issues. Also supported was the important place throughout the strategy of finding ways for government and industry to work together to realise the Government's vision.

    The Commission draws attention to the emergence of "public-private partnerships" as the reference model for governance issues relating to critical infrastructure protection. However, they see no such partnerships at the European level and wish to encourage them. Are the Commission correct in this aim?

  European critical infrastructure is a patchwork of private and public operators, spanning across Member States. In many countries is it suggested that up to 90% of critical infrastructures are in fact privately owned. Therefore in order to effectively address the security challenges of Europe's critical infrastructure assets Symantec believes a co-operative approach among industry and government is necessary. Fostering co-operation and effective public-private working relationships both within and also between Member States will help to ensure expertise in the area of critical infrastructure protection is identified, information on cyber related threats can be shared and common approaches to dealing with threats that have an impact on more than one sector, or Member State, are developed. However finding ways to create a trusted environment between public and private sector partners that enables information sharing to occur will be a key factor in ensuring the success of public-private partnerships.

  It is suggested that the obstacles to developing such partnerships at a European level may be both technical and legal. Currently it is felt that there are inadequate incentives for cooperation at European level and the current legal framework does not foster or encourage information exchange. There is also an inherent issue of trust however clearly there is no silver bullet to addressing this issue and it will take time to resolve.

    Are there indeed market failures occurring so that there is inadequate preparation for high impact, low probability events? And if so, how should they be addressed?

  From the security industries perspective it is felt that the market has, and continues to, develop technological tools and solutions that are appropriate to deal with threats and risks identified and address these accordingly.

  It may be that while critical Infrastructure Protection has traditionally focused on the protection of physical infrastructures and material assets, the move towards greater reliance and use of internet based networks and systems has required a shift in understanding and recognition by organisations of the risks they face in an increasingly interconnected threat landscape and the need for a new approach to defending and protecting critical infrastructures. As a result it must be recognised that different organisations, sectors and even Member States will be in different stages of their technological development. Therefore these organisations or Member States may not recognise that the likelihood of a cyber-attack occurring, such as a denial of service attack, may still be low but the potential negative impact on the ability of an organisation's networks to operate and communicate with other partners may be very high. While the security industry have developed tools and solutions to address the resilience, availability, security and integrity of networks and systems, it is suggested that organisations must first understand the need to shift towards a security approach that recognises the interconnected nature of European networks before they can consider how to prepare for such incidents and put in place appropriate, or adequate, security measures.

  Symantec believe it is more important than ever for organisations to prepare for incidents by taking a risk management approach to addressing online threats and risks to ensure the security, integrity and availability of network and services and protect the resilience and robustness of EU information and communications networks. A risk assessment is a proactive mechanism that can help organisations to effectively evaluate current vulnerabilities, identify upcoming threats and consider their level of risk, establish appropriate processes and procedures and define proper countermeasures. Conducting regular risk assessments is an important element of any organisation's ability to identify, understand and appropriately address known, and unknown, risks they may be facing. Symantec has supported the moves taken in Europe to introduce into the reviewed Telecoms Regulatory Framework the importance of taking a risk assessment based approach to addressing security requirements of communication networks.

    The Commission supports the European Information Sharing and Alert System (EISAS). Is it appropriate to develop this type of pan-European early warning and incident response capability?

  Symantec strongly believes that information sharing is a fundamental component of critical infrastructure protection. The online threats we see today are dynamic, changing rapidly and therefore require unprecedented vigilance and early detection and response to risks. Having the right information at the right time can enable a timely response to an attack on critical information systems. For instance real-time information collection, correlation, analysis and response capability can help to identify abnormal or irregular behaviour on networks that could be the indication of suspicious activity or even an attack to critical infrastructure systems before it occurs. Symantec supports the creation of EISAS as an important resource for sharing information and providing alerts that could help Member States to protect critical infrastructures proactively and therefore help to minimise the potential impact of cyber-attacks.

  An example of an effective Information sharing system is the US IT—Information Sharing and Analysis Centre (ISAC) for which Symantec is a founding member. The IT-ISAC established a common standard for information sharing which provides systems and interfaces to allow information to be securely exchanged. This partnership ensures that organisations have a broader view of the online threat situation than any single organisation and can provide early warning services to its partners. It is suggested that any European initiative in this area could be developed in a way that is complementary and mirrors the success of existing systems in this area.

  However, to assist in the development of EISAS and as a way to ensure greater effectiveness in information sharing between European partners, Symantec believe consideration should be given to the development of a common language, or terminology, for security incidents, response and escalation. It is suggested that the ability of stakeholders to speak the same technical language in the event of a cyber-attack could help promote greater cooperation and cohesiveness in responses to incidents. It may also assist in alleviating any challenges posed by the use of different technologies across Member States.

    Are Government operated Computer Emergency Response Teams (CERTs) an appropriate mechanism for dealing with Internet incidents?

  CERT's play an important role within Member States for providing a national focal point for information, guidance, providing warning, reports and alerts. A reason why CERTS may seem to work well could be that they are fairly small communities and the prestige of being first to report a vulnerability within the peer group can be reward enough. Overall the CERT model is also flexible to enable Member States to develop multiple CERTS, or different types of CERTS, depending on the particular requirements and needs depending on the type or risk or threat activity that may need to be covered. Symantec supports the CERT model and sees it as an appropriate means of sharing information and encouraging a collaborative approach to addressing cyber related issues within, and between, Member States.

    Will the UK's existing approaches to this policy area be adversely affected by fitting in with a European-wide system—or will this lead to improvements?

  It is suggested that the introduction of a European wide system would not hamper the UK's efforts but in fact could do the opposite and enable the overall improvement of the level of resilience across Europe. For example a EU system could act as a means by which the overall level of cyber security and resilience is raised and set (harmonised) at a higher level while still allowing for national flexibilities. As a result the UK's existing approach would still apply but simply other Member States activities could be raised to replicate the same level of security and resilience.

    Is it sensible to develop European-centric approaches at all, or should there be much more emphasis on a worldwide approach? In particular, are US policies consistent with the proposed European approach to the problem?

  Clearly internet threats and risk of attack is not a problem that Europe is facing alone. Internet security is a global problem that requires a global approach given that threats and attacks can travel around the world simply at the click of a button. Therefore it is suggested that any European approach that is developed should be discussed with other countries to encourage greater co-operation and collaboration between countries before and after a cyber incident occurs.

European Network and Information Security Agency (ENISA)

    The Commission sees a major role for ENISA in developing national CERTs, and in assessing the development and deployment of EISAS. Is ENISA an appropriate body for this work?

  Since its creation in 2004, ENISA has played a valuable role in bringing together government, industry and academia to share experience, knowledge and good practice. It provides a forum for discussion, platform for education and information exchange, and an environment where greater co-operation and awareness raising can be encouraged and enhanced. The role of ENISA is to help the development and deployment of national CERTs and not to act as a systems integrator. However, Symantec does possibly see a role for ENISA as providing a co-ordination role between Member States and stakeholders with concerns about cyber attacks and incidents and the corresponding national CERTs. For example ENISA could work with CERTs to gather anonymised information and data on cyber attacks conducted in Europe which could be reviewed and discussed with ENISA's industry working groups as a way to develop and promote examples of best practices in addressing and dealing with cyber attacks across Europe. However, it is suggested that ENISA should not attempt to replicate or reinvent efforts that are already ongoing by industry but rather find ways to identify and promote best practice and encourage industry efforts.

    Is ENISA being effective in its role, or does it need reform?

  ENISA has been effective in its current mandate but it is understood that this mandate is currently under review.

Timescales

    Most of the Commission's plans are to be put into practice by the end of 2010. Is this timescale realistic?

  It is understood that the Commission's approach has a number of different areas of focus. Progress going forward may depend on whether priority issues or specific targeted areas of activity are identified and whether adequate resources are made available.

  November 2009



1   Bots, short for "robots" are programs that are covertly installed on a user's machine in order to allow an unauthorized user to control the computer remotely. Back

2   Symantec Internet Security Threat Report Volume XIV at http://www.symantec.com Back

3   See recent reports on Ghostnet http://www.symantec.com/security_response/writeup.jsp?docid=2009-033015-5616-99 Back

4   See reports on DDoS attack incidents in Estonia, Lithuania, Georgia and more recently in Korea and US http://blogs.zdnet.com/security/?p=1533, http://searchsecurity.techtarget.com/news/article/0.289142.sid14_gci1361258.00.html Back

5   Supervisory Control and Data Acquisition (SCADA) networks are comprised of remote software and hardware elements (including sensors, relays, switches, databases, networks and applications, among others) whose functioning enables the automated delivery of essential goods and services, including energy and power, water, and waste treatment. They are thus a key component of Europe's critical infrastructure, and their security is integral to European citizens' ability to access key services on an uninterrupted basis. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2010